d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
59 lines
1.7 KiB
Markdown
59 lines
1.7 KiB
Markdown
---
|
|
paths:
|
|
- "**/*.cs"
|
|
- "**/*.csx"
|
|
- "**/*.csproj"
|
|
- "**/appsettings*.json"
|
|
---
|
|
# C# Security
|
|
|
|
> This file extends [common/security.md](../common/security.md) with C#-specific content.
|
|
|
|
## Secret Management
|
|
|
|
- Never hardcode API keys, tokens, or connection strings in source code
|
|
- Use environment variables, user secrets for local development, and a secret manager in production
|
|
- Keep `appsettings.*.json` free of real credentials
|
|
|
|
```csharp
|
|
// BAD
|
|
const string ApiKey = "sk-live-123";
|
|
|
|
// GOOD
|
|
var apiKey = builder.Configuration["OpenAI:ApiKey"]
|
|
?? throw new InvalidOperationException("OpenAI:ApiKey is not configured.");
|
|
```
|
|
|
|
## SQL Injection Prevention
|
|
|
|
- Always use parameterized queries with ADO.NET, Dapper, or EF Core
|
|
- Never concatenate user input into SQL strings
|
|
- Validate sort fields and filter operators before using dynamic query composition
|
|
|
|
```csharp
|
|
const string sql = "SELECT * FROM Orders WHERE CustomerId = @customerId";
|
|
await connection.QueryAsync<Order>(sql, new { customerId });
|
|
```
|
|
|
|
## Input Validation
|
|
|
|
- Validate DTOs at the application boundary
|
|
- Use data annotations, FluentValidation, or explicit guard clauses
|
|
- Reject invalid model state before running business logic
|
|
|
|
## Authentication and Authorization
|
|
|
|
- Prefer framework auth handlers instead of custom token parsing
|
|
- Enforce authorization policies at endpoint or handler boundaries
|
|
- Never log raw tokens, passwords, or PII
|
|
|
|
## Error Handling
|
|
|
|
- Return safe client-facing messages
|
|
- Log detailed exceptions with structured context server-side
|
|
- Do not expose stack traces, SQL text, or filesystem paths in API responses
|
|
|
|
## References
|
|
|
|
See skill: `security-review` for broader application security review checklists.
|